Description
code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection in /gym/trainer_search.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A vulnerability exists in the trainer_search.php page of Simple Gym Management System version 1.0, allowing an attacker to inject arbitrary SQL commands. The flaw is a classic input validation weakness (CWE‑89) that can enable an attacker to read, modify, or delete sensitive data stored in the system’s database. The impact is a compromise of data confidentiality and integrity for any user data accessed through the trainer_search.php endpoint.

Affected Systems

The product affected is Carmelo’s Simple Gym Management System, version 1.0. The weakness exists on the web server handling requests to /gym/trainer_search.php.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation at this time. The flaw is not listed in CISA’s KEV catalog, but the web‑based nature of the vulnerable endpoint implies that the likely attack vector is remote. No explicit prerequisites are mentioned, but the attacker would need to be able to send a request to the trainer_search.php endpoint to exploit the injection.

Generated by OpenCVE AI on April 17, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a vendor patch or newer version of Simple Gym Management System is available, upgrade to that version as soon as possible.
  • Modify the trainer_search.php code to use parameterized SQL queries or stored procedures, ensuring that user input is not concatenated into SQL statements.
  • Implement input validation to reject or sanitize unexpected characters in search parameters.
  • Deploy a Web Application Firewall rule set that detects and blocks typical SQL injection patterns on the /gym/trainer_search.php endpoint.

Generated by OpenCVE AI on April 17, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in Simple Gym Management System Trainer Search

Fri, 06 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Carmelo
Carmelo simple Gym Management System
CPEs cpe:2.3:a:carmelo:simple_gym_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Carmelo
Carmelo simple Gym Management System

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects simple Gym Management System
Vendors & Products Code-projects
Code-projects simple Gym Management System

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection in /gym/trainer_search.php.
References

Subscriptions

Carmelo Simple Gym Management System
Code-projects Simple Gym Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-05T16:14:49.030Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26709

cve-icon Vulnrichment

Updated: 2026-03-05T16:14:34.384Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T19:16:33.370

Modified: 2026-03-06T19:21:09.487

Link: CVE-2026-26709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses